ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Over Computer

v1.0.4

Trade on prediction markets through over.computer. Browse markets, approve funds, place buy/sell orders, and check positions on Myriad. Use when the operator...

1· 234·0 current·0 all-time
byMárton Borsos@dabors

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for dabors/over-computer.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Over Computer" (dabors/over-computer) from ClawHub.
Skill page: https://clawhub.ai/dabors/over-computer
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install over-computer

ClawHub CLI

Package manager switcher

npx clawhub@latest install over-computer
Security Scan
Capability signals
CryptoRequires walletRequires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to operate against over.computer, but every API call in SKILL.md targets a Google Cloud Run domain (over-computer-validator-1002664526717.europe-north2.run.app). Registry metadata at the top reported no required environment variables or primary credential, yet SKILL.md declares and requires OVER_API_KEY. These mismatches (missing declared credential in registry and use of a third‑party run.app domain rather than the advertised homepage) are unexpected for a straightforward trading integration.
Instruction Scope
SKILL.md contains only trading-related instructions (register, fetch config, list markets, place orders, check positions) and example curl commands. It does not instruct reading unrelated files or environment variables. It does instruct storing an API key as OVER_API_KEY and to follow operator-provided 'prompt' as a directive — both are reasonable but rely on trusting the remote service.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is written to disk or fetched at install time. That minimizes installation risk.
!
Credentials
The runtime requires a single sensitive credential (OVER_API_KEY), which is proportionate for an API client. However, the registry metadata did not list any required env vars or primary credential while SKILL.md requires one — an inconsistency that could lead users to unknowingly provide secrets. The declared credential is explicitly for the run.app validator endpoint rather than the over.computer homepage, so the key will be presented to/used by that third party.
Persistence & Privilege
The skill does not request always:true or other elevated persistence. It does ask the agent to store and use a credential (OVER_API_KEY) for API calls, which is normal for an API integration.
What to consider before installing
Before installing or using this skill: 1) Verify why the skill's API calls go to over-computer-validator-1002664526717.europe-north2.run.app instead of an over.computer API (ask the skill author or over.computer support). 2) Do not paste your over.computer API key into the agent until you confirm the validator service is official/trustworthy and you understand how keys are stored and used. 3) Ask the publisher to fix the registry metadata to declare the required OVER_API_KEY so the platform accurately warns you. 4) If unsure, prefer manually performing sensitive operations on the official website rather than granting the agent a bearer token for a third‑party endpoint.

Like a lobster shell, security has layers — review code before you run it.

latestvk975cz2pry64cfpt7np6v0cmg584c0y5
234downloads
1stars
5versions
Updated 9h ago
v1.0.4
MIT-0
Márton Borsos@dabors
latest
Download

over.computer

Trade on prediction markets through the over.computer API.

Use this when the operator says things like:

  • check markets
  • place an order / buy / sell
  • approve funds
  • show my positions
  • list my orders

Getting started

If OVER_API_KEY is not set, help the operator register:

Option A — agent-initiated:

  1. Call the link endpoint (no auth required) to obtain a registration URL:
curl -s --request GET \
  --url https://over-computer-validator-1002664526717.europe-north2.run.app/config/link

This returns { "configId": "<uuid>", "url": "<registration_url>" }.

  1. Give the operator the url and ask them to open it, connect their wallet on over.computer, and copy the API key shown after setup.
  2. Once the operator provides the key, store it as OVER_API_KEY.

Option B — operator-initiated:

  1. The operator goes to https://over.computer directly, registers, and obtains an API key.
  2. The operator gives the key to you.

Authentication

All endpoints under /myriad/* and /agent/* require the header:

Authorization: Bearer $OVER_API_KEY

Get your config

Retrieve your agent’s configuration from the operator (same auth as Myriad routes):

curl -s --request GET \
  --url https://over-computer-validator-1002664526717.europe-north2.run.app/agent/config \
  --header "Authorization: Bearer $OVER_API_KEY"

Returns: { "prompt": "...", "label": "..." } (either field may be null if unset).

  • prompt — trading instructions from the operator; follow them as your directive.
  • label — your agent’s display name.

Guardrails (position limits, trade limits, allowed markets, etc.) are enforced server-side and are not exposed on this endpoint. If an order violates a guardrail, the execute endpoint will reject it with a clear reason.

Browse markets

List open markets:

curl -s --request GET \
  --url "https://over-computer-validator-1002664526717.europe-north2.run.app/myriad/markets?state=open&limit=10&page=1" \
  --header "Authorization: Bearer $OVER_API_KEY"

Query parameters: limit (number), page (number), state (string, default open).

Get details for a specific market:

curl -s --request GET \
  --url "https://over-computer-validator-1002664526717.europe-north2.run.app/myriad/markets/{slug}" \
  --header "Authorization: Bearer $OVER_API_KEY"

Place an order

curl -s --request POST \
  --url https://over-computer-validator-1002664526717.europe-north2.run.app/myriad/order/execute \
  --header "Authorization: Bearer $OVER_API_KEY" \
  --header "Content-Type: application/json" \
  --data '{
  "idempotency_key": "unique-key-per-order",
  "order": {
    "market_id": 123,
    "outcome_id": 0,
    "side": "BUY",
    "size": 50,
    "slippage": 0.05
  }
}'

Body fields:

  • idempotency_key (string, required) — unique key to prevent duplicate orders
  • order.market_id (number, required)
  • order.outcome_id (number, required)
  • order.side ("BUY" | "SELL", required)
  • order.size (number, required) — order size in token units
  • order.slippage (number, optional)

A duplicate idempotency_key returns HTTP 400 with the existing order.

Check positions

curl -s --request GET \
  --url https://over-computer-validator-1002664526717.europe-north2.run.app/myriad/order/positions \
  --header "Authorization: Bearer $OVER_API_KEY"

Order history

curl -s --request GET \
  --url https://over-computer-validator-1002664526717.europe-north2.run.app/myriad/order/list \
  --header "Authorization: Bearer $OVER_API_KEY"

Config guardrails

The operator's config may restrict what the agent can do:

  • allowed_markets — whitelist of permitted market IDs
  • max_order_size — maximum USD value per order
  • max_trades_per_day — daily trade limit

When a request violates a guardrail the API returns an error with a clear reason, for example:

  • "Market 456 is not in the allowed markets list"
  • "Order size 200 * price 1 exceeds max allowed 100"
  • "Trades per day 10 exceeds max allowed 5"

When this happens:

  1. Do not retry the request.
  2. Tell the operator the exact rejection reason.
  3. Ask the operator to update their config at https://over.computer — only humans can change config settings.

Error reference

  • 400 — Bad request or duplicate idempotency_key
  • 401 — Missing or invalid API key
  • 403 — Agent has no associated user or no config found
  • 404 — Resource not found
  • 500 — Server error (includes guardrail rejections wrapped in order execution)

If execution cannot proceed due to missing credentials or API errors, inform the operator and stop. Do not retry failed requests without operator confirmation.

Comments

Loading comments...